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I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 
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How did it start? 



I want to scan the Internet!!! 



a Scan for obscure web forums to gather versions of phpBB, vBulletin 

and others 
a Scan for card sharing servers 
a Get carrot juice, a veggie burger and some sleep 
a Idea: scan for everything everywhere 

a Internet Census (2012): well played, f*****g Carna Botnet 

^^^^^ 
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Why do we care about network recon? 



« For attackers: information is as valuable as 0 days 
a Allow to build the attack path 
8 Avoid wasting 0 days 
a Find opportunistic targets 

» For defenders: learn about yourself 

o Should allow to learn about their own attack surface 
o Should guide to concentrate defenses where one is the most exposed 
and sensitive 
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Roadmap 



[This talk 1 


9 Engineering: how to design an 


Internet wide scanner 


• Targeting: what is a target? 




• Applications: what we find on 


the Internet 
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Plan 



Q I need an engineer 
• Overview 

o Defuse mines: why port scan is not for pussies 
a Scalability: I need a medic 
o Optimization: I REALLY need an engineer 
9 Another step with libleeloo and nodescan 

Q Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 
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Tools of the trade 



Well known tools for pentesters 



• Port scanners: nmap, zmap, masscan. . . 

9 Banner grabbers++: snmpwalk, sslscanner, nikto, BlindElephant, . . . 
» OS fingerprinting: nmap, pOf, sinFP. . . 
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Tools of the trade 



Well known tools for pentesters 



• Port scanners: nmap, zmap, masscan. . . 

9 Banner grabbers++: snmpwalk, sslscanner, nikto, BlindElephant, . . . 
» OS fingerprinting: nmap, pOf, sinFP. . . 



Problems 



9 Distribution and scalability 
• No searchable web interface 
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Hmm, it looks like Vulnerability scanner? 



It looks like, but it does not taste like! 



» Try to scan a /B with Qualys / Nessus / * 

a Expensive: need to sell your kid's kidneys at least 

o Super slow: imagine the 1,000,000+ page PDF report 

» Might do something with Metasploit 
a Add an efficient port scanner 
a Add a database and index the results 
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Hmm, it looks like Vulnerability scanner? 



It looks like, but it does not taste like! 



» Try to scan a /B with Qualys / Nessus / * 

a Expensive: need to sell your kid's kidneys at least 

o Super slow: imagine the 1,000,000+ page PDF report 



» Might do something with Metasploit 
a Add an efficient port scanner 
a Add a database and index the results 





[ Problems: size 


matters 


1 


• Costs 






• SCALING 


again! 
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Plan 



Q I need an engineer 

« Defuse mines: why port scan is not for pussies 

9 Optimization: I REALLY need an engineer 
<» Another step with libleeloo and nodescan 

Q Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 
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Needs and objectives 



What we want 



a Collect L7 unstructured information: texts, certificates, images, 
keys. . . 

• Analyze all the unstructured information 



How to get it 



o Distribute multiple scans among multiple probes 

9 Thin probes: "local" view of the scan, they only know what they 

scan, nothing else 
• Dynamic scalability: 

9 Add/remove targets on the fly 

a Add/remove probes on the fly 

DP 
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Design: piece of cake! 



KISS = Keep It Simple, Stupid 



9 Use a port scanner and a few other tools 

« Distribute the scan job among n machines with for instance 
RabbitMQ 

« Gather the data in a big database 

- 



OP 




I LOVE IT WHEN A PLAN COMES TOGETHER. 
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I need an engineer 



o Scalability: I need a medic 



1 not for pussies 

an engineer 
id nodescan 



Q Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 
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At first, we had nmap 



' Pros 1 


» Stable and widely used 




a Powerful NSE scripts engine 




• Correctly fast with good timing options 






Cons ' 


» Runs on a single host 




a Can not add target on the fly (even with -iL -) 
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At first, we had nmap 




Time (s) 



Remarks 



o Scan targets by group and wait for answers 

• Multiple "waiting" sessions 

• This is where masscan and zmap are somehow better 
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Multiple nmap: one to rule them all? 
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4 6 

Time (s) 



TX 
RX 



» Network exhaustion 
» Process limitation 

a No synchronization between the processes 
=^ Worst on multiple hosts! 
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I LOVE IT WHEN A PLAN COMES TOGETHER. 
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Becoming scalable: a first try 



Examples with 3 probes 



9 Divide the target set in 3 

a Give each host a third of the target space 

• Collect the results from the probes 
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Becoming scalable: the plan B 



Being scalable 



9 Divide the target set in fixed-size randomized blocks of IPs/blocks 
» Create a queue of tasks to perform 
• Send them to your probes on-demand 



Scalability 101: what we need 



o A message passing protocol (rabbitmq, mpi, ...) to give orders and 
get back the results 

• A scanner (nmap for now) 

• Something to keep track of what's been done 
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Becoming scalable: the plan B (what we need) 



Another piece of cake 



a A library that randomize the target set 

a AMQP for the task management and tracking 



Extra-bonus 



a Probes are on a need-to-know basics 

a New probes can be added on the fly, they just grab new tasks 

a Probes can get away without ACKing a task, it will be performed by 
a new one 
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Splitting the targets 



What is a target? 



a A target is a union / exclusion of intervals of IP addresses 



Naive algorithm 



9 Create a list of all unique IP addresses 

• Randomize the set to avoid consecutive scanning (thus complains) 
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I LOVE IT WHEN A PLAN COMES TOGETHER. 
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Splitting the targets with a PRNG 



Step 1: initial configuration 

a Wanted ranges are the full lines 

• Excluded ranges are the dashed lines 



D IPs 



IPv4 space 
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Splitting the targets with a PRNG 



Step 2: sorting and merging intervals 



IPv4 space 
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Splitting the targets with a PRNG 



Randomization 

a There are N (=C+D+B-A) IPs among R (=2) distinct ranges 

• Compute a random permutation of [O..N[ 

• For each integer i of this permutation, grab the IP at the i-th index 

• Create blocks of G (=4 for instance) randomly choosen IPs and send 
them to the probes 

a An example: [30, 10, 5, 42, 20, 28, 48, 49, . . .] 



Block 0 ^ 



Block 1 
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Plan 



9 I need an engineer 

j ^^lujv. w\/hy port scan is not for pussies 

« Optimization: I REALLY need an engineer 

Q Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 

OP 
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Optimization: upgrade the scanner 



zmap 



o Asynchronous I/O engine for 
the packets 

a Can share a target on several 
hosts 

a Can not add probes dynamically 

a Can not add targets on the fly 

• Scripting is a pain 

o Requires a Telco for a 
maximum efficiency 

- 



masscan 



o Asynchronous I/O engine for 
the packets 

a Can share a target on several 
hosts 

» Can not add probes dynamically 

» Can not add targets on the fly 

• Scripting is a pain++ 

a Requires a Telco for a 
maximum efficiency 



no 
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Keep in mind. . . 



Scanning very large sets of IPs dynamically is not 
only about sending packets as fast as possible. . . 

The Devil is in the details! 



Scanning the results of a scan 



a You scan a large set of IPs 

» You sort the result according to whatever criteria (port 1234 open) 

• You want to rescan this subset 

• Problem: you now have like 200k small intervals of IPs 

=^ Adding and looking up are complexity killing operations too 
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IP intervals management: intervals add performances 



Benchmarks done on a Core i7-3520M 
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IP intervals management: random lookup performances 




Lookup performances 



o libleeloo and masscan can provide about 12,204,000 random 
lookups/second 
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IP intervals management 



9 Model: intervals stored as a tree (lower memory usage), only 
support CIDR ranges 

» Add: logarithmic complexity since the tree is balanced 

a Lookup: complexity depending on the height of the tree 



ibieeloo 
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IP intervals management 



3 



masscan 



a Model: list of intervals stored as pairs of uint32 in an array 

« Add: exponential complexity since checking the new one is not 
already in a former one 

» Lookup: logarithmic by using a pre-computed cache (non 
configurable size) 



libleeloo 
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IP intervals management 



3 



libleeloo 



o Model: same as masscan 

» Add: just add the new intervals in the array, aggregate once at the 
end 

• Lookup: logarithmic, also using a cache of configurable size 
(user-defined memory/performance trade-off) 



OP 
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The scanner of our dreams 



What we dream of? 



» SYN engine as efficient as masscan 
• Scripting as easy as nmap 

» Can run as a daemon to stream targets as they come 



Patching 



masscan? You have said patching? 



9 Need to change core components, not maintanable on a long run 

» Can not support properties for IPs 

0 Can not support complex scan actions at layer 7 
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9 I need an engineer 

j ^^.uo^ w\/hy port scan is not for pussies 

9 Scalability: I need a medic 

a ODtimi^ation' I REALLY pppH an engineer 

• Another step with libleeloo and nodescan 

Q Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 
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Another step with libleeloo and nodescan 

libleeloo: intervals and properties 



[libleeloo 


9 A C++ library with Python bindings 




• Manage intervals of IPs as seen previously 




» Support properties 




a Available at https://github.com/quarkslab/libleeloo 


- 



Properties? 



o Specific information for some IPs or ranges 

• Custom TCP/UDP ports, specific credentials to test, . . . 
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Example: using multiple properties to IPs intervals 



1 import pyleeloo 

2 ranges = py leeloo . ip_l i s t _ int ervals_ wi t h_pr opert ie s C) 
3 

4 # The organisation's range 

5 ranges . add(" 192 .42 . 0 . 0/16 ") 
6 

7 ^ SSB servers 

8 ranges . add_property( " 192 . 42 . 4 . 0/24" , [22, 2222]) 

9 ^ VPN seri'ers 

10 ranges . add_property ( " 192 . 42 . 4 . 10 -20 " , [1194]) 
11 

12 r anges . aggr egat e C ) 
13 

14 def merge_ports CportsA , portsB): 

15 port sA . extend C port sB ) 

16 ranges . aggr egat e _pr opert i e s Cmerge.port s ) 
17 

18 print (ranges .property_of("192.42.66.0")) 

19 >>> None 
20 

21 print (ranges .property_of("192.42.4.1")) 

22 >>> [22, 2222] 
23 

24 print (ranges .property_of("192.42.4.15")) 

25 >>> [22, 2222, 1194] 
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Nodescan 



A L7 asynchronous engine 



o A C++ library with Python bindings to build a custom L7 scanner 

» L7 Python scripting a la nodejs with callback definitions 

a Support scan pause and resume 

a Allow complex actions like in SSL, SSH, SIP, . . . 

a Built on asynchronous UNIX sockets (for now) 

• Beta on https://github.com/quarkslab/nodescan 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO^OOOOOO oooooooooooooooo ooooooooooooooooooooooo 



Scanning L7 with nodescan: architecture 



Targets definitions 

Level 4: IP/port 



Reinject new 
targets 



Level 7 processing 

User defined processing callbacks 
(plugins) 



Scan engine 

Check targets availability, 
call user-defined callbacks 
and process timeouts 
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Scanning L7 with nodescan by example 



Classical way, with a list of IPs and ports 



1 import pyleeloo 

2 import pynodescan 

3 from pyleeloo import tcp_port 
4 

5 ips = pyleeloo . ip_list_intervals C) 

6 ips . add( " 37. 187. 47 -50. 70-120") 

7 ips . add( " 173 . 194 . 34 . 14") 
8 

9 ports = pylee loo . port _1 i St _ int erval s C ) 

10 ports . add (tcp_port (80) ) 

11 ports . add (tcp_port (22) ) 

12 ports . add (tcp_port (443) ) 
13 

14 targets = pynodescan . lPV4TargetSet ( ips , ports) 



OP 
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Scanning L7 with nodescan by example 



1 By specifying 


a list of (IP, port) pairs 






1 targets 

2 targets 

3 targets 


= pynodescan . SimpleTargetSet () 
. add_target("37.187.47.70", tcp. 
. add_target ("173. 194. 40. 134", tcp. 


.port (80) ) ; 
.port (22) ) ; 
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Scanning L7 with nodescan by example 



After the target, define how to reach them: the engine 



1 # ' nsockets ' defines the number of concurrent asynchronous 

so eke is used 

2 engine = pynodescan . AsyncEngine Ctargets = targets , nsockets 

= 10000 , timeout =10) 



OP 
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Scanning L7 with nodescan: architecture 



Targets definitions 

Level 4: IP/port 



Reinject new 
targets 



Level 7 processing 

User defined processing callbacks 
(plugins) 



Scan engine 

Check targets availability, 
call user-defined callbacks 
and process timeouts 
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Scanning L7 with nodescan by example 



Simple LVL4 connection to build a HTTP scrapper 



1 def send_payload (target, lvl4sm, hsm): 

2 # Send GET / 

3 target . send ( " GETu / uHTTP / 1 . 0\n\n") 

4 # Trigger on newlines 

5 lvl4sm.set_char_data_trigger( , on_iiewline) 
6 

7 # returns True to go on with this target 

8 return True 
9 

10 def on_newlineCtarget, lvl4sm, hsm, buf): 

11 with open ( " res /^d " °/g target . ipv4 () , " ab " ) as f : 

12 f . write (buf . tobytes () ) 

13 return True 
14 

15 engine . set_lvl4_connected_callback (send_payload) 

OP 
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Scanning L7 with nodescan by example 



Getting to level 1 ... 



a Classes that wrap level 7 protocols 

» Provides specific callbacks: on_content, on_certificate, . . . 

» User just defines what to do on each event 

» Currently supports HTTP, SSH and SSL public key/certificate 
grabbing and SIP headers 
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Scanning L7 with nodescan by example 



Same with HTTP wrapper 



1 def write_header(target, key, value): 

2 with open("res/%d" target. ipv4(), "wb+") as f: 

3 f.write("°/oS;u°/oS\n", (key, value)) 
4 

5 def write_coiitent (target, code, content): 

6 with open ( " res /"Ld. " % target . ipv4 () , " wb+ " ) as f : 

7 f.write(content.tobytes()) 
8 

9 HTTPGrabber = 

10 pynodescan . protocols . HTTPMethod C GET", "/", {" User - agent " : " 

pony , 1 . (; } ) 

11 .on_header(write_header) 

12 .on_content(write_content) 

13 .on_error(lambda target, err: print((target, err), file=sys 

. St derr ) ) 

14 ) 

15 engine . set_lvl4_connected_callback (HTTPGrabber) 
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Scanning L7 with nodescan by example 



Try to grab SSL certificates only if the HTTP server answered 



1 # Rememb er , the target set is defined as a SimpleTargetSet 

2 targets = pynodescan . SimpleTargetSet () 

3 targets . add ("X.X.X.X/24", tcp_port(80)) 

4 [. . .] 

5 HTTPGrabber = HTTPGrabber . on.content C lambda target, lvl4sm , hsm 

, content : 

6 ^ Add a new target on the fly 

7 targets.add_target(target.ipv4C), tcp_portC443))) 

8 SSLGrabber = pynodesc an. protocols. SSL C).on_certificateC 

save_certif ) 

9 

10 engine . set_lvl4_connected_callback ( 

11 PortRouter C{tcp_port (80) : HTTPGrabber , 

12 tcp_port (443) : SSLGrabber 

13 })) 



OP 
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Nodescan: you have just seen the scripting 



Targets definitions 

Level 4: IP/port 



Reinject new 
targets 



Level 7 processing 

User defined processing callbacks 
(plugins) 



Scan engine 

Check targets availability, 
call user-defined callbacks 
and process timeouts 
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Another step with libleeloo and nodescan 

Engineering conclusion 



a Scanning large sets of IPs is not only about sending raw SYN packets 

• Especially if you want to do that dynamically (adding targets or 
probes) 

• Especially if you want to collect data at layer 7 and react accordingly 



OP 
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Plan 



Q I need an engineer 

Q Targeting: snipe or mass destruction? 
a What is a target? 
9 Targeting subdomain *. gouv.fr 

• Retrieving the reverse whois database 

• Domain scrapping 

^ What can be done / found on the Internet 



OP 
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Plan 



Q I need an engineer 

Q Targeting: snipe or mass destruction? 
a What is a target? 

*. gouv.fr 
9 Retrieving the reverse whois database 
» Domain scrapping 

^ What can be done / found on the Internet 
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Target acquisition 



What is a country / company / agency in the cyberspace? 



o Domains ending with the same TLD (ex.: .fr)? 

• Netblocks announced at some domestic peering exchange? 

• Address registry allocation? 

• GeolP? 



[Target = *2IP ] 


9 Convert whatever to a set of IPs 




• Take GeolP 




9 Take ranges from RIPE, ARIN, . . . 




• Take netblocks from whois databases 




• Take IP behind AS 


- 
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Targeting a country 



nBni 






• 


Based on GeolP 




» 


Outsource the problem of figuring it out 




• 


Misses some DNS names hosted overseas 




• 


Simplify the jurisdictional issues 





Country 


GeolP 


whois 


GeolP U whois 


France 
Spain 


79M 
29 M 


75M 
16M 


97M 
30 M 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo ooo»oooooooooooo ooooooooooooooooooooooo 



Plan 



Q I need an engineer 

Q Targeting: snipe or mass destruction? 
9 Targeting subdomain *. gouv.fr 

^ What can be done / found on the Internet 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooo»ooooooooooo ooooooooooooooooooooooo 



Use-case: what is *. gouv.fr 



9 A national sub-domain 
» No specific registrar 
• No general DNS 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo ooooo»oooooooooo ooooooooooooooooooooooo 





a Find as much domains ending with *. gouv.fr as possible 
» For each domain: 

o Get the corresponding IP 

o Get the whois associated to the IP 

o Consider the netrange the IP belongs to^ 

a. Assumes a hosting company might host several IPs related to *. gouv.fr 



• #1: get a whois database, which is a pain to parse 

» #2: get domains from Google / Bing / other which do not want to 
be scrapped 




OP 



I need an engineer Targeting; snipe or mass destruction? What can be done / found on the Internet 

OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 000000*000000000 ooooooooooooooooooooooo 



Q I need an engineer 

Q Targeting: snipe or mass destruction? 

3 V V I Id C lb d Lai^CL ; 

• Retrieving the reverse whois database 

^ l-JWIllcJIll I u I-* p 1 I 1^ 

^ What can be done / found on the Internet 



OP 



I need an engineer Targeting; snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo ooooooo»oooooooo ooooooooooooooooooooooo 



whois issue: build your own reverse whois cache 



Accessing whois database 



» Formerly available at ipindex.homelinux.net but domain is dead now 
• Bulk access to whois data has to be asked for each registrar 
• And you have to send a letter to APNIC (so 2014) 



What we just need: reverse whois database 



a Goal: for each IP, know to what netblock it belongs to, and who 
owns this netblock 

» Ex.: who owns 42.0.0.0/8, 42.0.0.0/16, 42.0.0.0/24 and any 
potential subnetwork 



OP 



I need an engineer Targeting; snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooo»ooooooo ooooooooooooooooooooooo 



Why whois servers are a pain? 



whois: back to the future in the 70's. 



• MANY whois server, each with its output format 

» Some servers answers to X.X.X.X, some to X.X.X.X/8 (and of 
course, not reciprocally) 

» Some give inetnum of the higher level, some don't 

9 whois 113.11.0.0 => inetnum: 113.11.0.0 - 113.11.127.255 
» whois 113.11.0.0/16 inetnum: 113.0.0.0 - 113.255.255.255 
a whois 113.7.0.0/16 => inetnum: 113.0.0.0 - 113.7.255.255 
• whois 113.7.0.0 =^ inetnum: 113.0.0.0 - 113.7.255.255 



OP 



WHAT THE FUCK 

DID I JUST SEE? 



I need an engineer Targeting; snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooo»ooooo ooooooooooooooooooooooo 



Building the reverse whois database 



Algorithm 



» Query every /8, /16 and /24 

• Query random IP to get a granularity below /24 and aggregate the 
intervals 



Results 



0 Took 1 day for all /8, /16 and /24 
a Much longer for intervals below /24 

9 Distributed our requests, made them slowly, not to be banned 
» Thank you nodescan and libleeloo :) 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo ooooooooooo«oooo ooooooooooooooooooooooo 



Q I need an engineer 

Q Targeting: snipe or mass destruction? 

• Targeting subdomain *. gouv.fr 

» Retrieving the reverse whois database 

• Domain scrapping 

^ What can be done / found on the Internet 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooo«ooo ooooooooooooooooooooooo 



Getting domains: the old school way 



Algorithm 



o Build a list of keywords: ministere, departement, mairie, finances, 
ville, loi, convention, confidentiel, . . . 

» Query: site : * . gouv . f r <KEYWORD> 

o Grab all domains you can 

Got 238 domains from Bing 

» Thank you http://www.tadaweb.com 
■ ^^^^^^^^^^^^^^^^^^ 



OP 



filetype:pdf inurl:gouv,fr "ne pas diffuser" 

Web Shopping Vidto Images Actuality Plus'' Outils de recherche 



Envinon 1 150 r^ultats (0,13 secondes) 

■'"'"^Document provisoire, ne pas diffuser - Haut Conseil de I 

www.sante-jeunesse-sports.gouv.fr/IMG/pdf/r_mt_300905_vhb5.pdf 
de D ANTONA - Autres articles 

RAPPORT DU GROUPE DE TRAVAIL du Conseil sup6rieur dliygifene publique de 
France. Risque de contamination horizontale au sein de collectivity d' ... 



Guide du bon usage des m6dias sociaux ■ Ministere de la ... 

www.defense.gouv.fr/guide-medias-sociaux/telecharger.pdf ' 

a ne pas diffuser. • ^viter les publications, statuts ou commentaires tels que : « Super 

! Plus que 11 jours et 2 heures et vous serez a quai et je pourrai enfin te ... 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooo«o ooooooooooooooooooooooo 



Getting domains (plan B): using the cloud. 



Wait a second. . . 



a We have a scalable architecture 

» We have France 97M IPs (GeolP + whois) 

» We have libleeloo to distribute these 97M IPs over our probes 



OP 
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oooooooooooooooooooooooooooooooooooooooo oooooooooooooo«o ooooooooooooooooooooooo 



Getting domains (plan B): using the cloud 

Wait a second. . . 



a We have a scalable architecture 
» We have France 97M IPs (GeolP + whois) 
• We have libleeloo to distribute these 97M IPs over our probes 
^ Let's distribute the 97M DNS lookups!! 



Results 



• Duration: 15h 

• Hosts: 5 

a Unique domains found: 1342 
9 Unique IPs: 1295 
» Subdomains: 143 

• Network size: 7M IPs 




I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo ooooooooooooooo* ooooooooooooooooooooooo 



Conclusion: targeting *. gouv.fr at cloud age 



Find 


ng targets 




1 


def domains2IP ( hostnames , patter ) : 




2 


domains = hostnames.grepC pattern 


) # 13^2 domains 


3 


targets = [] 




4 


for d in domains : 




5 


ip = gethostbyaddrC d ) 




6 


targets += net.add( whois.get 


.range C ip ) ) 


7 


return targets 





I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 
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Plan 



Q I need an engineer 



^ Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 
a Vulnerability research 
• Scanning Spain 
» Diffing networks 
« Usage monitoring 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOO #0000000000000000000000 



Plan 



Q I need an engineer 

^ Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 
9 Vulnerability research 
<» Scanning 6pam 

a (3itfin;a netv''or!':=. 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo o«ooooooooooooooooooooo 



A quick word about heartbleed 



• Many scans looking for vulnerable servers. . . 

• Most of the focus is on 443 port 

• Free advice: people should also look at OpenVPN and some other 
servers 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo oo«oooooooooooooooooooo 



Looking for a backdoor 



I'm gonna owned the Internet 



a Backdoor discovered (twice :) by Eloi Vanderbeken on some routers 

« Listen on TCP port 32764 

» No authentication, simple protocol 

• Let's start some recognition... 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo ooo»ooooooooooooooooooo 



How to own the Internet 



My precious 



» Launch masscan on 32764: 30k packets/s 

0 around 50h later, about 1 million IPs discovered with TCP port 
32764 open 

« Used nodescan to verify these hosts: checking for backdoor signature 
as an answer of an invalid request 

0 By scanning about 6k IPs/s, a few minutes later, about 6000 devices 
were found vulnerable 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 
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Gathering statistics about the backdoor 




I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo ooooo»ooooooooooooooooo 



Gathering statistics about the backdoor 



9 Repartition by hardware: using the same scanner, a "version" and 
"sys_desc" field has been grabbed. Manual mapping had to be done 
(thus the "Unidentified" field). 




OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOO OOOOOO0OOOOOOOOOOOOOOOO 



Q I need an engineer 

^ Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 
o Scanning Spain 

OP 
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oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo ooooooo»ooooooooooooooo 



#define Spain 



What is Spain? 



o Country: 30M IPs 

» Number of probes: 100 

» Number of ports: 30 

0 Plugins: banners for Telnet &l FTP, SSL certificate, SSH key, HTTP 
(index of, page title, headers, auth), heartbleed, NFS. Is, FTP.Is, 
MySQL info, hadoop,. . . 

» Scan duration: 25h 



OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo oooooooo»oooooooooooooo 



What does lnternet.es look like? 
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OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOO 000000000*0000000000000 




I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo oooooooooo«oooooooooooo 




I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo ooooooooooo»ooooooooooo 



FTP at a glance 



• FTP banners: 31959 

• grep -i camera ftpsjwc -I 216 

» grep -i "DSL router" ftpsjwc -I 2110 




I ProFTPD 1.3.3c Server ready 

ucftpdyul 2 2012-2213:49) 

FTP server ready 
I FTP server ready 1 acti\« 

clients of 1 simultaneous 

clients allowed 
I FTP server ready 

I FTP Server ready 

I Mikro"ni< 



I FTP SerNfir Ready 

I Disl<Station FTP ser\«r ready 

batman FTP server (GNU 
inetutils 1.3.2) ready 

I (none) FTP sener (GNU 

Inetutils 1.4.1) ready 
I DSL Router FTP Server 

\X)0.96.114 ready 
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OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOO 000000000000*0000000000 



MikroTik FTP? 



» Actually all FTP banners containing MikroTik are unique 

LDURDES GARCIA LANDETE FTP server (MikroTik 5.11) ready: 1 
Nodo Formentera 2 V + H FTP server (MikroTik 5.25) ready: 1 
AYTD_SCDLA_MUSICA FTP server (MikroTik 5.25) ready: 1 

Cliente Danubio27 - Francisco Planells FTP server (MikroTik 5.19) ready: 1 
M26002512T FTP server (MikroTik 5.22) ready: 1 
SJVJCostaRdl FTP server (MikroTik 5.22) ready: 1 
ramon lopez perez FTP server (MikroTik 5.21) ready: 1 



OP 
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OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOO 0000000000000*000000000 



Someone is looking at your FTP servers 



A long time ago, in a far far away FTP server. . . 



» We noticed a file wOOOOOOOt .{php.txt} on 115 world-writable 
FTP servers 

» cat wOOOOOOOt.txt 
wOOOOOOOOOOOOOOt 
» cat wOOOOOOOt.php 

<?php echo base64_decode("bm9wZW5vcGVub3Bl") ; ?> 
; nopenopenope 

• 104 out of the 115 are Microsoft FTPd 
» Google( bm9wZW5vcGVub3BI ) ^ 2 servers 

• Google( wOO...OOOt ) more IPs 

• Anyone knows what tool lets this signature? 

iP 
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oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo oooooooooooooo»oooooooo 



Long tail of lnternet.es (a.k.a. wtf.es) 



9 3M Filtrete 3M-50 thermostat: thermostat with WiFi control. . . on 
the Internet 

9 http: / /www. radiothermostat.com/filtrete/products/3M-50/ 




I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo oooooooooooooo»oooooooo 



Long tail of lnternet.es (a.k.a. wtf.es) 



» merten@home: remote for everything at home 




I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo oooooooooooooo»oooooooo 



Long tail of lnternet.es (a.k.a. wtf.es) 



9 merten@home: awarded in 2004 and 2006!! 



SYSTEM DATA AND VERSION DETAILS 

The device Is currently showing the following equipment 
and versions 

Hardware version: 0001-0101-008 
RAM memory: 16 
ROM memory: 4 

Integrated modem: 1 
USB devices: 1 

Firmware version: 02.32 
Firmware date: 2006-01-24 
Interface version: 1.02 



» I Return to homepage (login) 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 
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Long tail of lnternet.es (a.k.a. wtf.es) 



• Moxa NPort 5410: serial to IP converter for PLC, industrial 
systems, . . . 




OP 
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Long tail of lnternet.es (a.k.a. wtf.es) 




OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 

oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo ooooooooooooooo»ooooooo 



Plan 



Q I need an engineer 

^ Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 

o DifFing networks 



OP 
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OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOO 0000000000000000*000000 



Monitoring == diffing 
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oooooooooooooooooooooooooooooooooooooooo oooooooooooooooo ooooooooooooooooo»ooooo 



Q I need an engineer 

^ Targeting: snipe or mass destruction? 

^ What can be done / found on the Internet 
9 Scanning bpain 
• Usage monitoring 

OP 



I need an engineer Targeting: snipe or mass destruction? What can be done / found on the Internet 
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PayTV Internet Sharing 



CCcam 



9 One host (master) shares a card with several clients 

» When one client receives an encrypted payload, it is sent to the 
master 

a The master deciphers the payload, sends it back to the client 
» Very lucrative business 



Usage statistics 



• Scan a few ports, the usual ones where CCcam is running 
a Connect to the server to get plenty of information 
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Piracy monitoring 
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Piracy monitoring 




OP 
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Piracy monitoring 




OP 
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Piracy monitoring 




OP 
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Conclusion 



Port scan is not for pussies anymore at the cloud age 



» Port scan is not only about the port scanner itself 
» Scalability: distribution of the task 

o Big Data: unstructured data with a lot of inserts, need for indexation 

a Admin: sending automatically emails to abuse®. . . is free, but you 
should have more serious things to deal with that port scans in 2014 

» Legal: no idea if it is legal or not, but if it is not, it just helps the 
bad guys, so it is stupid 



OP 
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Conclusion 



[What massive port scan is good for? ] 


0 Security is not about patching anymore 




» Try to prevent the attack (ID, PS, exploit mitigation, AV, . . . ) 




• Assume the attack will succeed anyway :( 




=^ Need to know what / where your assets are 




0 To elaborate your defensive strategy 




a To elaborate your recovery plan 





OP 



Questions? 

Challenge accepted:klapspaan 
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